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Abstract. We introduce a new form of SAT-based symbolic model 
checking. One common idea in SAT-based symbolic model checking is 
to generate new clauses from states that can lead to property viola- 
tions. Our previous work suggests applying induction to generalize from 
such states. While effective on some benchmarks, the main problem with 
inductive generalization is that not all such states can be inductively 
generalized at a given time in the analysis, resulting in long searches for 
generalizable states on some benchmarks. This paper introduces the idea 
of inductively generalizing states relative to fc-step over-approximations: 
a given state is inductively generalized relative to the latest fc-step over- 
approximation relative to which the negation of the state is itself in- 
ductive. This idea motivates an algorithm that inductively generalizes a 
given state at the highest level k so far examined, possibly by generat- 
ing more than one mutually fc-step relative inductive clause. We present 
experimental evidence that the algorithm is effective in practice. 



1 Introduction 

Several themes for SAT-based symbolic model checking [S] have been explored 
over the past decade |3I18I14I15|T7I5] . A subset of these methods |14ll7l5j de- 
rive new search-constraining clauses from discovered states that lead to property 
violations. In previous work, we introduced induction as one means of general- 
izing from such states. Given a cube c that one would like to exclude because 
the states that it describes lead to violations of a desired property, a minimal 
inductive subclause d of -ic is a clause whose literals are negations of those 
appearing in c (d C -ic) and that is inductive relative to known reachability 
information [5]. Not all cubes can be inductively generalized at a given time 
during proof construction, however. This inability to inductively generalize any 
given cube (whose satisfying states lead to property violations) limits the ap- 
plicability of the technique as previously developed [5]: on some benchmarks, 
the model checker becomes embroiled in long fruitless searches for generalizable 
cubes. However, its success on some nontrivial benchmarks indicates that the 
fundamental idea of inductive generalization from states is worth exploring [4] . 

We describe in this paper a method based on induction for generalizing all 
cubes (unless the asserted property does not hold). The algorithm maintains a 



sequence Fq, Fi, F2, . . . , Fk of over-approximations of sets of states reachable in 
at most 0,l,2,...,fc steps, for increasing k. It iteratively generalizes cubes: a 
cube s that implies Fk and that leads in one step to violating the property is in- 
ductively generalized relative to the most general over-approximation Fi relative 
to which the negation of the state, ^s, is itself inductive, li i < k, predecessors 
of s are treated recursively until s can be inductively generalized relative to F^. 
We call this process k-step relative inductive generalization. Once F^. is strength- 
ened to the point that no i^^-state can transition into a property- violating state, 
k is incremented and the generated clauses are propagated forward through 
Fq, Fi, F2t ■ ■ , -Ffc+i via implication checks. The iterations continue until conver- 
gence (if the property is invariant) or until discovery of a counterexample trace 
(if the property is not invariant). Section [3] presents this algorithm in detail. 

The symbolic model checker based on fc-step relative inductive generalization 
is robust. Section |3] details our implementation and experiments on the HWMCC 
2008 benchmarks |^ . Our symbolic model checker outperforms the winner of the 
unsat division and the overall winner of the competition. 

2 Preliminaries 
2.1 Definitions 

A finite-state transition system S : (x, I, T) is described by a pair of propositional 
logic formulas: an initial condition I{x) and a transition relation T{x,x') over 
a set of Boolean variables x and their next-state primed forms x' [8] . Applying 
prime to a formula, F' , is the same as priming all of its variables. 

A state of the system is an assignment of Boolean values to all x and is 
described by a cube over x, which is a conjunction of literals, each literal a 
variable or its negation. The negation of a cube is a clause. An assignment s 
to all variables of a formula F either satisfies the formula, denoted s ^ F, or 
falsifies it, denoted s ^ F. A formula F implies another formula G, written 
F G, if every satisfying assignment of F satisfies G. 

A trace sq, si, S2, . . . of a transition system S, which may be finite or infinite 
in length, is a sequence of states such that sq \= I and for each adjacent pair 
(si,Si+i) in the sequence, Si A s[^i [= T. That is, a trace is the sequence of 
assignments in an execution of the transition system. A state that appears in 
some trace of the system is reachable. 

A safety property P{x) asserts that only F-states (states satisfying P) are 
reachable. P is invariant for the system if indeed only P-states are reachable. If 
P is not invariant, then there exists a finite counterexample trace sq, si, . . . , Sfe 
such that Sk ^ P. 

An inductive assertion F{x) describes a set of states that (1) includes all 
initial states: / =^> F, and that (2) is closed under the transition relation: FAT 
F'. An assertion F is inductive relative to another assertion G if instead of (2), 
we have that G AF AT ^ F'. 

An inductive strengthening of a safety property F is a formula F such that 
F A P is inductive. Since F A P => P, F is a proof of P's invariance. 



2.2 Inductive Generalization 



In previous work, we introduced a technique for discovering a minimal inductive 
subclause d of a given clause c if one exists [5]. Such a clause d (1) consists only 
of literals of c (d C c), (2) is inductive (possibly relative to known reachability 
information), and (3) is minimal in that it does not contain any strict subclauses 
that are also inductive. 

Inductive generalization of a cube s is the process of finding a minimal in- 
ductive subclause d of ^s, if one exists. The resulting subclause (if one exists) 
over- approximates the set of reachable states while excluding s. In practice, a 
minimal inductive subclause is typically substantially smaller than the cube s 
from which it is extracted. Hence, it excludes many other states as well, which 
is why we say that the inductive subclause generalizes that s is unreachable. 

3 Algorithm and Analysis 

We describe a complete symbolic model checking algorithm for safety properties. 
Given a transition system S : (i, /, T) and safety property P, it either generates 
a formula F such that F AP is inductive or it discovers a counterexample trace. 

Section 13.11 presents the algorithm informally, while Section 13.21 provides an 
example of its application. Then Section 13.31 formally describes and proves the 
correctness of the algorithm. 

3.1 Informal Description 

The algorithm constructs a sequence Fq, Fi, F2, . . . of over-approximations of 
the state sets reachable in at most 0,1,2,... steps. It incrementally refines the 
sequence until some Fi converges to an inductive strengthening of P, or until it 
encounters a counterexample trace. 

Initially, Fq = /, and Fi = P for i > 0, corresponding to the assumption that 
P is invariant. Let k be the level of F^^ the frontier of the sequence. The sequence 
satisfies the following invariants: (1) Fq = /, (2) V < i < fc, Fi ^ Pi+i, and 
(3) V < z < fc, FiAT^ Fl^-^. li Fk AT ^ P' , then Fk+i becomes the new 
frontier. Otherwise, there is a state s that leads in one step to a violation of P. 

Given such a state s, the algorithm finds the highest level < i < k such 
that -IS is inductive relative to Fi. li P is invariant, such a level exists. At this 
level, s can be inductively generalized relative to Fi. 

Inductive generalization produces a clause c C -is that is inductive relative to 
Fi. It asserts that s — and any other state t such that t ^ c — is not reachable 
within i + 1 steps. Because -is has been generalized to c, c may exclude states 
that were previously admitted by some Fj for j < i + 1. In other words, c 
potentially represents new j-step reachability information at every level j up to 
i -I- 1. Therefore, each Fj, for 1 < j < i + 1, is strengthened to Fj A c. 

li i — k, then s has been inductively generalized at the highest possible level, 
and Fk no longer admits the state s, bringing the algorithm one step closer to 
strengthening Fk such that Ft AT ^ P' . 



Hi < k, then the generalization of s at level i must be pushed to level k. 
There must exist some predecessor p of s admitted by Fi^i but excluded by 
Fi. This predecessor is one of the reasons that -is is not inductive relative to 
-Fi+i. Now p is considered recursively for inductive generalization. This recursion 
continues until s can be inductively generalized relative to Fk- 

Once Ff^ A T ^ P' holds, the clauses that have been generated so far are 
propagated forward through Fq, Fi, F2, . . . , F^: for each clause d G clauses(Fi), 
ii Fi Ad AT ^ d', then d is conjoined to F^+i . If the clause sets of two adjacent 
levels, Fi and -Fi+i, become equal, then Fi is an inductive strengthening of P 
that proves P's invariance. 

If P is not invariant, the algorithm discovers a counterexample trace, though 
not necessarily a shortest. Let sq, si, . . . , s„ be a shortest counterexample trace. 
The algorithm finds a counterexample trace when k = n, if not earlier. For when 
k — n, each Si, for 2 < i < n, can be shown to be inductive relative to at most 
Fi-2- Hence, si (or another 1-step state from another counterexample trace) 
must eventually be analyzed during the recursion associated with inductively 
strengthening s„ (or another state from another counterexample trace) relative 
to Fm at which point it would be found to be reachable from an initial state. 



3.2 An Illustrative Example 

Consider the contrived transition system S : (x, /, T) with variables x 
{xq, xi,x,yo,yi,y, z}, initial condition 

/ : xo A -ixi A a; A (yo = -^Vi) A y A z , 
and transition relation 



T 



(xq = ->Xq) a {x[ — ->xi) A [x' — XqW Xi) 
A{y'o^xA ^ya) A {y[ ^ x A ^yi) A {y' = yo V yi) 
A (z' = a; A y) 



The intention is that x and y — and thus z — are always true. This intention is 
asserted as the safety assertion P : z. We apply the algorithm to this transition 
system to prove the invariance of P. 

1. Fq is initialized to /, each of i^i, i^2, • ■ • to P, and fc to 1. 

2. Fi A T A -iP' is satisfiable. One satisfying assignment yields the -iP- 
predecessor si : -ixq A -ixi A ^x A -lyo A -lyi A -ly A z. Is -isi inductive 
relative to Pi? Yes, as Pi A -isi A T implies -^s'l- Inductive generalization 
of si relative to Pi yields the clause ci : xq V x, where (1) ci C ~'Si, and 
(2) ci is inductive relative to Pi. As Table [T] illustrates, ci is conjoined at 
both levels 1 and 2 while still maintaining the invariants on the sequence 
Po,Pi,P2, . . . discussed above. The clause ci not only excludes si but also 
many other states, which is the purpose of inductive generalization. 

3. Pi A P A -iP' is still satisfiable. One satisfying assignment yields the -iP- 
predecessor S2 : xq A -ixi A -ix A -lyo A -lyi A -ly A z. -1S2 is inductive relative 
to Pi. Inductive generalization yields from -1S2 the clause C2 : xi V x, which 
is also inductive relative to Pi. 



Table 1. Incremental construction of an inductive strengthening assertion 
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C4 


Cs 
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C6 


F2 
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C5 


C4 


C6 



Cl : xo V x C4 : a;o V 

C2 : Xi V x C5 : -^Xq V -iii 

C3 : -^yo y y ce -.x 



4. Fi AT A -iP' is still satisfiable. One satisfying assignment yields the -iP- 
predecessor S3 : A a;i A -ix A yo A yi A -ly A z, which has predecessor S4 : 
-ixqA-ixi AxA-it/oA-iyi AyAz at level 1. Hence, -1S3 is not inductive relative 
to Fi. However, it is inductive relative to Fq^ and inductive generalization 
yields from -1S3 the clause C3 : -it/o V y at level 0. As Table [1] indicates, C3 is 
only placed at level 1 (and implicitly at level 0). 

5. The state S3 is again considered at level 1, but as C3 does not exclude S4, 
-1S3 is still not inductive relative to Fi. Therefore S4 is considered. But it, 
too, has a predecessor S5 : a;o A xi A x A yo A yi A y A z at level 1. However, 
it is inductive relative to Fq, and inductive generalization yields C4 : xq V xi 
at level 0. 

6. Now either S3 or S4 must be considered at level 1. Choosing S3 reveals that 
-1S3 is now inductive relative to Pi, and inductive generalization yields C5 : 
-ixo V -ixi at level 1. Notice how the deduction of C4 at level is crucial to 
the deduction of C5 at level 1. 

7. To finish this iteration, it remains to address S4 at level 1. With the addition 
of C5, -1S4 is inductive relative to Pi, and inductive generalization yields 
again the clause C4 : xq Vxi, but now at level 1 instead of level 0. Inductively 
generalizing cubes at the highest possible levels until convergence at k makes 
it possible to deduce the equivalence xq = ~ixi, which requires two clauses 
to express. 

8. Pi A T A -iP' is still satisfiable. One satisfying assignment yields the -iP- 
predecessor sg : xq A -ixi A -ix A yo A yi A -ly A z, which is inductive relative 
to Pi . Inductive generalization yields the clause ce : x at level 1 . 

9. With X at level 1, analysis of the y component of the transition system 
proceeds similarly until Pi A T A -iP' becomes unsatisfiable. 

10. Propagation from Pi to P2 and from P2 to P3 reveals that all clauses are 
inductive and inductively strengthen z. Simplifying through subsumption 
and rewriting the formula yields the expected inductive strengthening 

xo = -ixi A X A yo = -lyi A y A z 

of the safety assertion P : z, thus proving its invariance. 



3.3 Formal Presentation and Analysis 

We present the algorithm and its proof of correctness simultaneously with for- 
mally annotated pseudocode in Listings 11.1111.41 using the classic approach to 
program verification [11113) . All assertions are inductive, but the ranking func- 
tions require some additional reasoning. For convenience, some assertions are 
labeled and subsequently referenced in annotations. 



Listing 1.1. The main function 



-post : rv iff P is invariant 
bool prove ( ) : 

if either lA^P or IATA^P' is satisfiable: 

-assert: there exists a counterexample trace 

return false 
Fo := I, clauses (Fo) := 
Fi := P, clauses (Fi) := for all i>0 
for k = 1 to . . . : 

-rank: at most 2'"^' + 1 

-assert (A) : 

(1) V i > 0, F, 

(2) V i > 0, Fi^ P 

(3) V 2 > 0, clauses (_Fi+i) C clauses(_Fi) 

(4) V < j < fe, FiAT ^ 

(5) V j > k, |clauses(Fi)| = 
if not check (fc) : 

-assert: there exists a counterexample trace 
return false 
propagate (fc) 

if there exists 1 < i < fc such that clauses(_Fi) — clauses (F+i ) : 
-assert : 

(1) I^Fi 

(2) F^AT^Fl 

(3) F^^P 
return true 



Listing [1.11 presents the top-level function prove, which returns true if and 
only if P is invariant. First it looks for 0-step and 1-step counterexample traces. 
If none are found, Fq, Fi, F2, . . . are initialized to assume that P is invariant, 
while their clause sets are initialized to empty. As a formula, Fi for i > is in- 
terpreted as P A /\ clauses(Pi). Then it constructs the sequence of fc-step over- 
approximations starting with k — I. On each iteration, it first calls clieck(fc) 
(Listing ll.2p . which strengthens Fi for 1 < i < fc so that F^-states are at least 
k — i + 1 steps away from violating P. Then it calls propagate (A:) fListing [1.2p 
to propagate clauses forward through Fi, F2, . . . , F^+i based on their having 
become inductive relative to higher levels during the call to check. If this propa- 
gation yields any adjacent levels that share all clauses (a simple syntactic check, 
not a validity check), an inductive strengthening of P has been discovered. 

While the assertions are inductive, an argument needs to be made to justify 
the ranking function. By A.3, the state sets represented by Fq, Fi, . . . , Fk are 
nondecreasing with level. To avoid termination at the if check requires that 
they be strictly increasing with level, which is impossible when k exceeds the 
number of possible states. Hence, k is bounded by 2l^l -I- 1, and, assuming that 
the called functions always terminate, prove always terminates. 

For a given level k, check(A:) (Listing [1.2p iterates until Fk excludes all states 
that can lead to a violation of P in one step. Suppose s is one such state. It is 



Listing 1.2. The check and propagate functions 



~ pre : 




26 


(1) A 




27 


(2) fc > 1 




28 


-post : 




29 


(1) A. 1-3 




30 


(2) if rv then V < i < fc, F, f\T ^ Fl+^ 




31 


(3) Vi>fc + 1, |clauses(Fi) =0 




32 


(4) if not TV then there exists a counterexample 


trace 


33 


bool check(fc : level): 




34 


try : 




35 


while FkATA^P' is satisfiable: 




36 


—rank : at most 2^ 




37 


-assert (-B) : 




38 


(1) A. 1-4: 




39 


(2') V r P clauses fFi.j-1 ) Fi-AT^r' 




40 


(3) Vi>fc + 1, clauses(Fi) =0 




41 


let s be the predecessor extracted from the 


witness 


42 


— assert : fc < 2 or is inductive relative to 




43 


Ti \— inductive(s, fc — 2, fc) 




44 


push ({(n + 1, s)} , fc) 




45 


-assert (C) : s ^ Jfc 




46 


return true 




47 


except Counterexample: 




48 


return false 




49 






50 


-pre /post : 




51 


(1) A. 1-3 




52 


(2) VO<i<fc, F,/\T^F(+i 




53 


(3) Vi>fc + 1, |clauses(F,)| = 




54 


void propagate (fc : level): 




55 


f or i = 1 to fc : 




56 


for each c in clauses (_Fi ) : 




57 


-assert: pre/post 




58 


if FiATA^c is unsat i sf iable : 




59 


Fi+i : = -Fi+i A c 




60 



eliminated by, first, inductively generalizing it at the highest level n at which 
-IS is inductive relative to Fn through a call to inductive(s, fc — 2, fc) (Listing 
II. 3p and then, second, pushing for a generalization at level k through a call to 
push({(n + l,s)}, fc) (Listing [L4|) . At the end of the iteration, Fk excludes s 
(assertion C). This progress implies that the loop can iterate at most as many 
times as there are possible states, yielding check's ranking function. 

Notice how check, according to its postcondition, preserves loop invariants 
A. 1-3 while incrementing A. 4-5 to to apply to an additional step (see postcon- 
ditions (2) and (3)), unless a counterexample is found. 

The functions inductive and generate fListing ll.31) perform inductive gen- 
eralization. The details of discovering an inductive subclause are described in 



Listing 1.3. i-step relative inductive generalization 



-pre : 

(1) B 

(2) i > 

(3) -IS is inductive relative to Fi 
-post : 

(1) B 

(2) s^F,+-, 

void generate (s : state, i : level, k : level): 

c := find subclause of -is that is inductive relative to Fi 
for j = 1 to i + 1: 
-assert : 

(1) B 

(2) s^F,_i 



-pre : 

(1) B 

(2) min > — 1 

(3) min < or ^s is inductive relative to Fmin 

(4) there is a trace from s to a -iP-state 
-post : 

(1) B 

(2) min < rv < k , rv > 

(3) S ^ Fry+l 

(4) -IS is inductive relative to Fry 

level inductive (s : state, min : level, k : level): 
if mm < and FqATA^sAs' is satisfiable: 

-assert: there exists a counterexample trace 

raise Counterexample 
for i = max (1 , min + 1) to k: 

-assert : 

(1) B 

(2) min < i < k 

(3) \f < j < i , -is is inductive relative to Fj 
if FiATA^sAs' is satisfiable: 

generate(s, i — 1, fc) 

return i — 1 
generate(s, k, k) 
return k 



previous work iSi. One interesting observation, however, is that when calling 
inductive, a minimum level min at which -is is inductive relative to Fmm can 
be supplied. At lines 43-44, s ^ F^-i by A.2 and AA so that -is is inductive 
relative to Fk-2 by AA. At lines 127-128, -is is inductive relative to En-^i so 
that p ^ Fn-i and thus -ip is inductive relative to Fn-2 by A A. If min < 0, 
then it is possible that s is reachable from an initial state, hence the check at 
line 87. 



Listing 1.4. The push function for fc-step relative inductive generalization 



-pre : 

(1) B 

(2) y {i,q) £ states, 0<i<k + l 

(3) V {i,q) e states, q ^ 

(4) V {i,q) G states, -^q is inductive relative to Fi-i 

(5) V (i , q) £ states , there is a trace from g to a ^P-state 
-post : 

(1) B 

(2) V {i,q) e states, q ^ 

void push (states : (level, state) set, k : level): 
while true : 

-rank: at most (fc + 1)21"^ 
-assert (D) : 

(1) B 

(2) V {i,q) G statesprey, 3j > i, (j, (?) G states 

(3) M {i,q) e states, 0<i<fc + l 

(4) V \i,q) G states, q'^F^ 

(5) V {i,q) G states, -^q is inductive relative to -F^-i 

(6) V {i,q) G states, there is a trace from g to a ^P-state 
in, s) := choose pair from states that minimizes n 
-assert : V {i,q) G states, n<i 

if n > k: 
return 

if FnATAs' is satisfiable: 

let p be the predecessor extracted from the witness 
-assert (.E) : 

(1) V {i,q) £ states, p^q 

(2) n<2 or -^p is inductive relative to Fn-2 
m := inductive (p, n — 2, fc) 

states := states U {{m + 1 , p)} 
else : 

m := inductive (s, n, k) 
-assert (F) : m + l>n 

states := states \ {{n, s)} U {{m + 1, s)} 



The push algorithm (Listing ll.4|) is the key to "pushing" inductive general- 
ization to higher levels. The insight is simple: if a state s is not inductive relative 
to Fi, apply inductive generalization to its predecessors that satisfy Fi. The com- 
plication is that this recursive analysis must proceed in a manner that terminates 
despite the presence of cycles in the system's state graph. To achieve termina- 
tion, a set states of pairs (i, s) is maintained such that each pair (i, s) G states 
represents the knowledge that (1) s is inductive relative to Fi^i, and (2) Fi 
excludes s. The loop in push always selects a pair (n, s) from states such that n 
is minimal over the set. Hence, none of the states already represented in states 
can be a predecessor of s at level n. 



Formally, termination of push is established by the inductive assertions D.2, 
which asserts that the set of states represented in states does not decrease; EA, 
which asserts that each state in states is represented by at most one pair in states; 
and F, which asserts that the level associated with a state can only increase. 
Given that each iteration either adds a new state to states or increases a level 
for some state already in states and that levels peak at fc + 1, the number of 
iterations is bounded by the product of A: + 1 and the size of the state space. 

The inductive proof in Listings 11.1111.41 and the termination arguments yield 
total correctness: 

Theorem 1. For finite transition system S : {x,I,T), the algorithm always 
terminates and returns true if and only if safety assertion P is invariant. 

3.4 Variations 

Notice that inductive and generate (Listing ll.SI) together generate a subclause 
of -IS that is inductive relative to Fi, where i is the greatest level for which -is 
is itself inductive relative to Fi. It is actually possible to find the highest level 
j > i for which -is has a subclause that is inductive relative to Fj even if ^s is 
not itself inductive relative to Fj (that is, j > i). The difference between these 
two approaches is in whether the down function of [5] is ever applied to -is. In 
the method of inductive and generate, it is not; in the variation, it is. 

While generalizing at higher levels is desirable, applying down to large clauses, 
such as -IS, is the most expensive phase of inductive generalization in prac- 
tice. On particularly large benchmarks with thousands of latches this phase can 
take prohibitively long; for example, on the neclaftpXOOX benchmarks from 
HWMCC'08, this variation does not typically terminate in under 15 minutes. 

One might wonder, therefore, if a weaker but faster inductive generalization 
procedure could be used. An obvious such procedure is the following: rather 
than using full induction, one could search for clauses that are established in the 
next state without assuming them as inductive hypotheses — in other words, 
perform a search for an implicate subclause (that is also inductive) rather than 
for an inductive subclause. Experiments indicate that using this generalization 
yields an overall model checker that is rarely faster and often significantly slower 
despite the superior speed of the individual generalizations. Of course, a positive 
spin on this disappointing result is that full induction is apparently a powerful 
generalization technique compared to searching for implicates. 

4 Implementation and Experiments 
4.1 Implementation 

We implemented the algorithm using O'Caml for top-level reasoning, MiniSAT 
2.0 for preprocessing the transition relation [9], and ZChaff for SAT-solving 
because of its incremental solving capability [16]. Notice that the SAT-solving 



libraries were available before 2008; thus, our performance on the HWMCC'08 
benchmarks reported below cannot be attributed to superior SAT solvers. 

Preprocessing. MiniSAT 2.0 provides an interface for "freezing" variables 
that should not be chosen for elimination during preprocessing. We use it to 
simplify the given transition relation once and for all [lOj . Reducing the transition 
relation according to the cone-of-influence [5" followed by preprocessing yielded 
significant performance improvements for inductive generalization. It is likely 
that more sophisticated preprocessing would yield better performance. 

Incremental SAT-Solving. Our technique requires solving hundreds to 
thousands of SAT problems per second in an incremental fashion. While Min- 
iSAT 2.0 provides the ability to maintain context and change assumptions in 
the form of literals, only ZChaff, as far as we know, provides competitive SAT- 
solving combined with the ability to push and pop incremental context that 
includes sets of clauses. It is likely that a fully incremental version of a modern 
SAT solver would yield better performance. 

Optimizations. Given that our algorithm relies on inductive generalization, 
we implemented a simple method to extract literal invariants that are obvious 
from the structure of the initial condition and transition relation. This optimiza- 
tion greatly improved performance on the neclaf tpXOOX benchmarks. 

We implemented binary, rather than linear, search in the function inductive. 

In our implementation of inductive generalization [5] , we use a simple thresh- 
old to end the search for a minimal inductive subclause. If a certain number of 
randomly chosen literals (three in our implementation) are determined to be 
necessary to yield an inductive subclause, the search for a smaller inductive sub- 
clause ends. While minimality is no longer guaranteed, the resulting clauses are 
sufficiently strong (and probably minimal). 

Finally, we implemented a VSIDS-like literal-ordering heuristic to guide 
which inductive clauses are discovered from a given cube jl6j . Since a given 
clause can have many minimal inductive subclauses, the idea is to focus on 
those literals whose negations have appeared most frequently in examined states 
in recent history. Unfortunately, whether the heuristic has any benefit is unclear. 

4.2 Experiments 

The benchmarks and results from the Hardware Model Checking Competition 
2008 provide a means of comparing different model checking algorithms [5]. We 
report our performance on these benchmarks. 

We performed all experiments on a laptop equipped with an Intel Core 2 Duo 
2.2 GHz processor, although only one core was used, and 4 GB of memory. In 
the HWMCC'08 competition, entries ran on Pentium IV 3 GHz processors with 
2 GB of memory. After reading various online forums, we concluded that our 
processor provides a speed advantage of approximately 1.8 x over the hardware 
used in the competition. Thus, rather than counting the number of benchmarks 
solved in under 900 seconds, we count only those solved in under 500 seconds. 

Our implementation constructs proofs of unsatisfiability for 325 benchmarks 
in under 500 seconds and using at most 1.5 GB of memory, compared to the 314 



solved by abc, the winner of the unsat division of the competition. Ten of these 
benchmarks were not solved during the competition. It finds counterexample 
traces in 234 cases, surprisingly competitive with BMC [3]. The top four entries 
for the satisfiable problems, all based on BMC, found 247, 243, 239, and 239 
counterexamples, respectively. Our total number of solved problems is thus 559, 
seven more than abc, the winner of the overall competition. 

Table 14.21 presents data for the 38 benchmarks that our implementation 
proved unsatisfiable in the allotted time (500 seconds) and memory (1.5 GB) 
that were solved by at most three competitors. The second column lists those 
competitors who solved the benchmark, their time in seconds (unsealed), and 
their peak memory consumption in MB. The third through sixth columns list 
our implementation's time in seconds scaled by 1.8 to allow for better compar- 
ison, memory consumption in MB, the number of thousands of SAT instances 
solved, and the number of the clauses in the proof, respectively. Again, the time 
for our implementation is multiplied by 1.8, so indicated runtime can be over 
500 seconds despite our setting the timeout at 500 seconds. 

In case the 1.8 scaling to compensate for different processors is considered 
too low, the results for 3.0 scaling are the following: 317 proofs and 228 coun- 
terexamples, with 545 benchmarks solved overall. 

5 Related Work 

SAT-based unbounded model checking was the first symbolic model checking 
approach based on generating clauses [14]. It discovers implicates to generalize 
states leading to property violations. The overall iterative structure is the same 
as standard symbolic model checking. In our algorithm, induction is a means 
not only for generalizing from states but also for abstracting the system based 
on the property, allowing the analysis of large transition systems. 

Our algorithm can be seen as an instance of predicate abstraction/refinement 
|12I7) in that the minor iterations generate new predicates (clauses) while the 
major iterations propagate them. If the clauses are insufficient for convergence 
to an inductive strengthening assertion, the next minor iteration generates ad- 
ditional clauses that allow propagation to continue at least one additional step. 

The fc-step over- approximation structure of Fq, Fi, F2, . ■ . , Ff^ is similar to 
that of interpolation-based model checking (ITP) ^5j, which uses an interpolant 
from an unsatisfiable K-step BMC query to compute the post-image approx- 
imately. All states in the image are at least K ~ 1 steps away from violating 
the property. A larger K refines the image by increasing the minimum distance 
to violating states. In our algorithm, if the frontier is at level k, then Fi, for 
< i < k, represents states that are at least k — i steps from violating the prop- 
erty. As k increases, the minimum number of steps from _Fi-states to violating 
states increases. In both cases, increasing k (in ours) or K (in ITP) sufficiently 
for a correct system yields an inductive assertion. However, the algorithms dif- 
fer in their underlying "technology" : ITP computes interpolants from if-step 



Table 2. Solved benchmarks that were solved m HWMCC'08 by at most three 
solvers 



Benchmark 


Solved by (solver/scc/MB) 


Sec 


MB 


SC(k) 


1 Proof 


bjrb07ainba6andenv 


abc/309/166 pdtravbdd/19/61 


462 


364 


11 


269 


bjrb07ainba7andenv 


abc/203/180 pdtravbdd/242/71 


169 


253 


7 


221 


intelOOS 


pdtravitp/348/143 tipidi/367/425 


32 


79 


28 


931 


intel007 


pdtravcbq/881/185 


541 


228 


76 


2906 


intel026 




261 


277 


96 


1335 


intel037 




207 


786 


2 


157 


intel054 


tipidi/2/8 tipids/2/8 tipind/2/8 


414 


174 


271 


4544 


intel055 


tipidi/43/12 tipids/43/12 


39 


95 


30 


615 


intel056 


tipidi/7/13 tipids/8/13 


91 


79 


93 


1597 


intel057 


tipidi/2/6 tipid5/2/6 tipind/2/6 


176 


129 


142 


2332 


intel059 


tipidi/4/8 tipid5/4/8 


46 


74 


53 


982 


neclabakeryOOl 


aigtrav/14/95 pdtravbdd/18/54 tipind/422/34 


156 


233 


417 


2755 


neclaftplOOl 




84 


781 


1 


669 


neclaftpl002 




284 


1417 


3 


707 


neclaftp2001 


tipidi/839/122 tipid5/838/122 tipind/834/ 123 


43 


466 


1 


638 


neclaftp2002 


tipind/898/175 


248 


816 


3 


644 


neclatcaslaOOl 


tipidi/0/0 tipids/O/O tipind/0/0 


3 


56 


1 


86 


neclatcasallOOl 


tipidi/0/0 tipids/O/O tipind/0/0 


45 


97 


20 


279 


nusmvbrp 


pdtravbdd/456/74 pdtravcbq/187/283 


21 


50 


56 


688 


niismvguidancep2 


pdtravbdd/478/61 tipidi/873/394 


23 


78 


16 


164 


nusmvguidancepB 


pdtravbdd/59/44 


16 


70 


10 


121 


mismvguidancepe 


abc/34/35 pdtravbdd/54/44 pdtravitp/92/177 


10 


69 


8 


97 


pdtvisbakeryO 


abc/21/97 pdtravbdd/28/60 


113 


164 


36 


215 


pdtvisbakeryl 


abc/96/97 pdtravbdd/44/61 


144 


182 


44 


308 


pdtvisbakery2 


abc/57/95 pdtravbdd/114/64 


136 


191 


42 


371 


pdtvi SgoodbakeryO 


abc/45/98 pdtravbdd/57/64 


203 


202 


65 


601 


pdtvi sgoodbakeryl 


abc/102/95 pdtravbdd/51/63 


142 


175 


46 


458 


pdtvi sgoodbakery2 


abc/118/97 pdtravbdd/49/60 


153 


193 


47 


372 


pdtvisnsSpOO 




244 


138 


120 


1709 


pdtvisnsSpOl 


pdtravcbq/618/266 tipid5/670/145 


352 


131 


152 


2287 


pdtvisns3p02 




196 


129 


100 


1169 


pdtvisns3p03 




230 


121 


106 


1398 


pdtvisns3p04 




550 


115 


207 


2187 


pdtvisns3p06 


pdtravcbq/823/278 


837 


164 


289 


2845 


pdtvisns3p07 




311 


131 


145 


1453 


pdtvi srethersqo4 


abc/23/15 


162 


157 


341 


3394 


pdtvissoapl 


pdtravitp/384/520 


70 


102 


42 


807 


pdtvissoap2 




108 


101 


65 


1789 



BMC queries, while our algorithm uses inductive generalization of cubes, which 
requires only 1-step BMC queries for arbitrarily large k. 

Various approaches to generalizing counterexamples to fc-induction have been 
explored |17I1I19| . Our work could in principle be applied as a method of 
strengthening fc-induction. However, the technique already works well on its 
own and has the distinct advantage of posing small SAT problems. 

Finally, we draw on our previous work on inductive generalization 151. This 
paper contributes fc-step relative inductive generalization, which guarantees that 
all examined cubes can be inductively generalized if the property is invariant. 

6 Conclusion 

The empirical data suggest the effectiveness of fc-step relative inductive general- 
ization, a technique unlike — and therefore complementary to — other symbolic 
model checking methods. The most exciting direction for our ongoing research 



is to parallelize the algorithm. Our earlier work on inductive generalization was 
easily parallelized and sometimes yielded near-linear scaling with the number of 
nodes on hard benchmarks 3J. The new algorithm, although more complex in 
structure, should be similarly parallelizable since the implementation spends the 
majority of its time generating clauses incrementally. 

BMC is faster than our implementation at finding counterexample traces. We 
plan to investigate a combination of our algorithm with BMC in which generated 
clauses would constrain the SAT search space. 

Another direction for research is to apply the idea of finding /c-step relative 
inductive generalizations of states in an infinite-state setting. 
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